Title: Risk Assessment Procedure
Document ID: [PROC-RISK-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CISO (Paul Jenkins)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Risk Assessment Procedure

## Purpose

This procedure defines how BlackDice should perform and record information security risk assessments using the approved methodology.

## Scope

This procedure applies to assessments of in-scope services, systems, projects, suppliers, changes, exceptions, incidents, and other relevant activities.

## Trigger / When Used

Use this procedure when:

- a new system, service, supplier, or change is introduced
- a periodic risk review is due
- an incident, audit finding, or exception requires assessment
- management requests reassessment due to changed conditions

## Procedure Steps

1. Define the subject of the assessment, including scope, owner, context, and assessment objective.
2. Identify relevant assets, threats, vulnerabilities, dependencies, and potential impacts.
3. Assess likelihood and impact using the approved risk methodology and current business context.
4. Determine the initial risk rating and compare it with risk acceptance criteria.
5. Identify proposed treatment options, compensating controls, or risk acceptance needs.
6. Assign a risk owner, review date, and action plan where treatment is required.
7. Record the assessment outcome in the approved format or register.
8. Escalate significant risks for approval, treatment prioritisation, or formal acceptance as required.

## Inputs

- assessment scope and context
- asset and service information
- risk methodology
- supporting evidence such as architecture, incidents, audits, or supplier data

## Outputs / Records

- completed risk assessment
- treatment actions or acceptance decision
- risk register update
- escalation record where applicable

## Roles and Responsibilities

- Assessors must apply the methodology consistently and document the rationale.
- Risk owners must review and accept accountability for assigned risks.
- [Role] must maintain oversight of process quality and risk tracking.

## Escalation / Exceptions

Escalate where:

- a risk exceeds normal acceptance thresholds
- ownership is unclear
- the treatment plan cannot be agreed
- the risk has customer, regulatory, or major service implications

Exceptions to the process must be documented and approved where necessary.

## Related Documents

- Risk Assessment and Treatment Methodology
- Exception Management Procedure
- Corrective Action Procedure
- Risk Register Template

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |